CVE-2026-34076 Overview
A Server-Side Request Forgery (SSRF) vulnerability has been identified in multiple Clerk JavaScript authentication libraries. The clerkFrontendApiProxy function in @clerk/backend is vulnerable to SSRF attacks, allowing an unauthenticated attacker to craft a malicious request path that causes the proxy to send the application's Clerk-Secret-Key to an attacker-controlled server. This vulnerability affects several Clerk packages including @clerk/hono, @clerk/express, @clerk/backend, and @clerk/fastify.
Critical Impact
Unauthenticated attackers can exfiltrate the Clerk-Secret-Key credential, potentially compromising the entire authentication infrastructure of affected applications.
Affected Products
- @clerk/hono versions 0.1.0 to before 0.1.5
- @clerk/express versions 2.0.0 to before 2.0.7
- @clerk/backend versions 3.0.0 to before 3.2.3
- @clerk/fastify versions 3.1.0 to before 3.1.5
Discovery Timeline
- 2026-04-01 - CVE CVE-2026-34076 published to NVD
- 2026-04-01 - Last updated in NVD database
Technical Details for CVE-2026-34076
Vulnerability Analysis
This vulnerability is classified as CWE-918: Server-Side Request Forgery (SSRF). The flaw exists within the clerkFrontendApiProxy function found in the @clerk/backend package. When the proxy processes incoming requests, it fails to properly validate and sanitize the request path, allowing attackers to manipulate the destination of outbound requests.
The critical security implication is that the proxy inadvertently includes sensitive authentication credentials—specifically the Clerk-Secret-Key—in requests directed to attacker-controlled endpoints. This key is used to authenticate server-side operations with Clerk's API, and its exposure could allow attackers to impersonate the application, access user data, or manipulate authentication flows.
Root Cause
The root cause of this vulnerability lies in insufficient input validation within the clerkFrontendApiProxy function. The proxy mechanism does not adequately restrict or sanitize the request path parameter, enabling path manipulation attacks. When an attacker crafts a specially formatted request path, the proxy follows the redirect to an external server while including authentication headers containing the secret key.
Attack Vector
The attack can be executed remotely over the network without any authentication. An attacker crafts a malicious HTTP request with a manipulated path that causes the Clerk proxy to redirect the request to an attacker-controlled server. The proxy includes the Clerk-Secret-Key in the outbound request headers, which the attacker's server captures. This credential theft occurs without user interaction and requires no prior access to the target system.
The attack flow involves sending a crafted request to an application endpoint that uses the vulnerable clerkFrontendApiProxy function. The proxy misinterprets the manipulated path and initiates an outbound request to the attacker's server, inadvertently forwarding sensitive authentication credentials. For detailed technical analysis, refer to the GitHub Security Advisory.
Detection Methods for CVE-2026-34076
Indicators of Compromise
- Unusual outbound HTTP requests from application servers to external, unknown endpoints
- Unexpected requests containing Clerk-Secret-Key headers to non-Clerk domains
- Log entries showing abnormal proxy redirections or path traversal patterns
- Authentication anomalies suggesting credential compromise or unauthorized API access
Detection Strategies
- Monitor outbound network traffic for connections to unexpected external hosts from servers running Clerk-enabled applications
- Implement web application firewall (WAF) rules to detect and block requests with suspicious path manipulation patterns
- Review application logs for unusual request paths targeting the Clerk proxy endpoints
- Deploy network-level anomaly detection to identify credential exfiltration attempts
Monitoring Recommendations
- Enable verbose logging on Clerk SDK functions, particularly around proxy operations
- Set up alerts for outbound requests containing authentication headers to non-whitelisted domains
- Monitor for sudden spikes in authentication failures that may indicate compromised credentials
- Implement real-time monitoring of API key usage patterns through Clerk's dashboard
How to Mitigate CVE-2026-34076
Immediate Actions Required
- Upgrade @clerk/hono to version 0.1.5 or later immediately
- Upgrade @clerk/express to version 2.0.7 or later
- Upgrade @clerk/backend to version 3.2.3 or later
- Upgrade @clerk/fastify to version 3.1.5 or later
- Rotate all Clerk-Secret-Key credentials as a precaution if exploitation is suspected
Patch Information
Clerk has released patches for all affected packages. The security issue has been resolved in @clerk/hono version 0.1.5, @clerk/express version 2.0.7, @clerk/backend version 3.2.3, and @clerk/fastify version 3.1.5. Organizations should update their dependencies to these patched versions immediately. For complete patch details and changelog information, refer to the GitHub Security Advisory.
Workarounds
- Restrict outbound network access from application servers to only known, trusted endpoints using firewall rules
- Implement additional proxy validation at the application layer to sanitize request paths before processing
- Temporarily disable the clerkFrontendApiProxy function if not critical to operations until patching is complete
- Deploy a reverse proxy or WAF in front of the application to filter malicious request patterns
# Update Clerk packages to patched versions
npm update @clerk/backend@3.2.3
npm update @clerk/express@2.0.7
npm update @clerk/hono@0.1.5
npm update @clerk/fastify@3.1.5
# Verify installed versions
npm list @clerk/backend @clerk/express @clerk/hono @clerk/fastify
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
